Know your enemy: tracking botnets

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Know your enemy: tracking botnets
Botnet
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2008 /
Editor/Conference Honeynet projects
Link http://www.honeynet.org/papers/bots/ (Archive copy)
Author Paul Bächer, Thorsten Holz, Markus Kötter, Georg Wicherski
Type

Abstract

Honeypots are a well known technique for discovering the tools, tactics, and motives of attackers. In this paper we look at a special kind of threat: the individuals and organizations who run botnets. A botnet is a network of compromised machines that can be remotely controlled by an attacker. Due to their immense size (tens of thousands of systems can be linked together), they pose a severe threat to the community. With the help of honeynets we can observe the people who run botnets - a task that is difficult using other techniques. Due to the wealth of data logged, it is possible to reconstruct the actions of attackers, the tools they use, and study them in detail. In this paper we take a closer look at botnets, common attack techniques, and the individuals involved.

We start with an introduction to botnets and how they work, with examples of their uses. We then briefly analyze the three most common bot variants used. Next we discuss a technique to observe botnets, allowing us to monitor the botnet and observe all commands issued by the attacker. We present common behavior we captured, as well as statistics on the quantitative information learned through monitoring more than one hundred botnets during the last few months. We conclude with an overview of lessons learned and point out further research topics in the area of botnet-tracking, including a tool called mwcollect2 that focuses on collecting malware in an automated fashion.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2008BFR802,
   editor = {Honeynet projects},
   author = {Paul Bächer, Thorsten Holz, Markus Kötter, Georg Wicherski},
   title = {Know your enemy: tracking botnets},
   date = {12},
   month = Jul,
   year = {2008},
   howpublished = {\url{http://www.honeynet.org/papers/bots/}},
 }